The Federal Financial Institutions Examination Council (“FFIEC”), on behalf of the federal banking agencies, has released observations from the recent cybersecurity assessment conducted by the FFIEC and recommended that banks and other regulated financial institutions participate in the Financial Services Information Sharing and Analysis Center (“FS-ISAC”). The FS-ISAC is a non-profit, information-sharing organization established by the financial services industry to share physical and cybersecurity threat and vulnerability information. The FS-ISAC issues physical and cybersecurity threat alerts and other critical information to financial institutions, including analyses and recommended solutions from security experts. According to the FFIEC, the banking agencies expect financial institutions of all sizes to monitor and maintain sufficient awareness of cybersecurity threats and vulnerability information to evaluate risk and respond accordingly. This requires financial institution management and third party technology service providers to put in place methods for obtaining, monitoring, sharing and responding to threat and vulnerability information about rapidly evolving cybersecurity risks, according to the FFIEC.
Nutter Notes: During the summer of 2014, the FFIEC member agencies conducted a cybersecurity assessment at more than 500 community banks and other financial institutions to evaluate the institutions’ preparedness to mitigate cybersecurity risks. The assessment supplemented regularly scheduled examinations and built upon certain supervisory expectations contained within existing FFIEC information technology handbooks and other regulatory guidance. The FFIEC’s Cybersecurity Assessment General Observations, released on November 3, suggests questions that chief executive officers and boards of directors may wish to consider when assessing their institutions’ cybersecurity preparedness. The federal banking agencies expect banks to understand their cybersecurity risks and consider current practices and overall preparedness, focusing on risk management and oversight, threat intelligence and collaboration, cybersecurity controls, external dependency management, and cyber incident management and resilience. The agencies said that they view information sharing as an important element of a bank’s cybersecurity risk management processes which should include the ability to identify, respond to, and mitigate cybersecurity threats and incidents.